IN THE CLAIMS : 

1 . (Original) A method for securely communicating between a private computer satellite 
network and a public network, the method comprising the steps of: 

providing a network firewall in the satellite network between the satellite network and 
the public network; 

providing a secure access appliance in said satellite network; 

sending an outgoing message fi^om the secure access appliance through said firewall to 
the public network; 

creating an answer message to said outgoing message outside of said satellite network, 
said answer message asking the secure access appliance to open a tunnel through said firewall; 

sending said answer message from the public network through said firewall into the 
satellite network in answer to the outgoing message; 

receiving said answer message at the secure access appliance; 

the secure access appliance opening a tunnel in said firewall after receiving said answer 
message. 

2. (Original) A method in accordance with claim 1, further comprising: 
providing a permitted and a forbidden network entity in the satellite network; 
blocking the secure access appliance fi-om conmiunicating with the forbidden entity; 
passing communications between the secure access appliance and the permitted network 

entity. 



3. (Original) A method in accordance with claim 2, wherein: 
said blocking is performed inside the secure access appliance. 



4. (Original) A method in accordance with claim 2, wherein: 

said blocking is performed inside the secure access appliance by one of an internal 
network switch and a network filter, 

5. (Original) A method in accordance with claim 1, wherein: 

the firewall is configured to allow outgoing type messages to pass through the firewall 
to the public network; 

the firewall is configured to allow answer type messages to the outgoing type messages 
5 to pass through the firewall into the satellite network. 

6. (Original) A method in accordance with claim 1, wherein: 

the firewall is configured to allow outgoing HTTP type messages to pass through the 
firewall to the public network; 

the firewall is configured to allow answering HTTP type messages to the outgoing 
5 HTTP type messages to pass through the firewall into the satellite network. 

7. (Original) A method in accordance with claim 6, wherein: 

said firewall passes HTTP protocol messages for Worid Wide Web access by entities 



3 



of the satellite network. 

8. (Original) A method in accordance with claim 1, further comprising: 
providing rules for operation of the tunnel in the secure access appliance; 
operating the tunnel according to the rules during and after said opening of the tunnel. 

9. (Original) A method in accordance with claim 8, wherein: 
the satellite network includes a plurality of network entities; 

the rules limit which of the network entities the tunnel can access. 

10. (Original) A method in accordance with claim 9, wherein: 

the rules include instructions for forming a virtual private network and a network fiher. 

11. (Original) A method in accordance with claim 1, wherein: 

the outgoing message is a status message and is sent periodically from the satellite 
network through the firewall to the public network, 

12. (Original) A method in accordance with claim 1, further comprising: 
providing a private computer director network connected to the public network, the 

director network including a controller and a server; 

sending the outgoing message from the satellite network to the director network; 
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the controller sending the answer message to the satellite network asking to open a 
tunnel through the firewall; 

the controller sending a tunnel request message to the server asking to open the tunnel 
with the satellite network; 

the server and the secure access appliance cooperating to open and operate the tunnel; 

providing server rules for operation of the tunnel in the server; 

operating the tunnel at the server according to the server rules during and after the 
opening of the tunnel 

13. (Original) A method in accordance with claim 1, forther comprising: 
monitoring a parameter within the satellite network; 

operating said secure access appliance to open said tunnel when said parameter is in a 
predetermined state, said monitoring including monitoring a plurality of parameters of the 
satellite network, said operating of said secure access appliance includes providing a policy in 
the satellite network using said plurality of parameters to control when said secure access 
appliance establishes said tunnel, said policy including a state machine controlling said secure 
access appliance, said plurality of parameters operate said state machine; 

providing a network filter between the satellite network and said public network; 

providing network filter rules for configuring said network filter when said parameter 
is in said predetermined state; 

configuring said network filter when said policy controls said secure access appliance 



to open said tunnel; 

configuring said network filter according to said network filter rules when said 
15 parameter is in said predetermined state; 

providing packet router rules for configuring a packet router when said policy controls 
said secure access appliance to open said tunnel; 

configuring said packet router according to said packet router rules when said policy 
controls said secure access appliance to open said tunnel; 
20 said parameter is a status of the satellite network, and said predetermined state is said 

status being outside of predetermined acceptable limits; 

said secure access appliance and a VPN server connect to form a virtual private 
network; 

a distributed state machine is used to control a life cycle of said virtual private network, 
25 an expert system configures said distributed state machine according to said policies, said 

polices are expressed as Extensible Markup Language (XML); 

configuration of said distributed state machine is monitored for auditing purposes; 
auditing information is expressed as XML; 

probes are defined to measure a network state or statistic on the satellite network; 
30 a plurality of probe data is aggregated and reported to a directed circuit policy manager; 

said aggregation of said probe data is expressed as XML. 



14. (Currently Amended) A system for securely communicating between a private 
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computer satellite network and a private computer director network through a public network, 
the satellite network including a firewall th e sa t ellite network and the public network , the 
system comprising: 

5 a secure access appliance in the satellite network sending an outgoing message through 

the firewall and the public network to the director network, the firewall accepting answer 
messages fi-om the public network answering said outgoing message, said secure access 
appliance including a tunnel client opening a tunnel in the firewall in response to an answer 
message asking said secure access appliance to open a tunnel through said firewall. 

15. (Original) A system in accordance with claim 14, wherein: 

said secure access appliance includes satellite rules for operation of said tunnel in the 
satellite network, 

16. (Original) A system in accordance with claim 14, fiirther comprising 

a plurality of network entities in the satellite network, said secure access appliance 
includes satellite rules for limiting which of said network entities said secure access appliance 
can access. 

17. (Original) A system in accordance with claim 16, wherein: 

said secure access appliance includes a virtual private network device and a network 
filter configured according to said satellite rules. 
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18. (Original) A system in accordance with claim 14, wherein: 

said outgoing message is a status message sent periodically from the satellite network 
through said firewall to the public network. 

19. (Original) A system in accordance with claim 15, wherein: 

the director network includes a controller and a server, said controller sending said 
answer message to said secure access appliance in the satellite network asking to open a tunnel 
through the firewall, said controller sending a tunnel request message to said server asking to 
5 open said tunnel with the satellite network, said server includes director rules for operation of 

said tunnel in said server, said server and said tunnel client cooperating to open and operate said 
tunnel according to said server and client rules. 
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